On Tue, May 20, 2008 at 10:03:32PM -0700, Jason C. Wells wrote: > Jeremy Chadwick wrote: > >> I believe it's because pf(4) doesn't make assumptions about what you >> want to filter. NAT is stateful (it has to be, because packets are >> being re-written, and the WAN-side port numbers are going to be >> different than the LAN-side), but filtering rules still apply **after** >> the translation has been done. >> >> What's happening is that your nat rule results in pf re-writing the >> packet, then the packet is immediately blocked by one of your block >> rules (I'm assuming "block out"). >> >> The pf.conf manpage documents this, more or less: >> >> Since translation occurs before filtering the filter engine will see >> packets as they look after any addresses and ports have been translated. >> Filter rules will therefore have to filter based on the translated >> address and port number. Packets that match a translation rule are only >> automatically passed if the pass modifier is given, otherwise they are >> still subject to block and pass rules. > > I guess my misunderstanding comes in where the pass modifier is concerned. > I also have a weak understand of what "state" actually means. The > "automatically passsed" part of your citation isn't automatically passing.
Oh! I'm sorry, I missed the "pass" word that was in your nat rule. I don't ultimately know what that does internally to pf. There does not appear to be any actual documentation on what the "pass" entry in a nat rule actually does. This sounds like it could be a bug; even the pf examples in /usr/share/examples/pf don't use "pass" in a nat rule. I'll leave the bug comment up to the pf experts here to analyse, though. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
